Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.
The OKD 4 installation program provides only a low number of configuration options before installation. Configuring most OKD framework components, including the cluster monitoring stack, happens post-installation.
This section explains what configuration is supported, shows how to configure the monitoring stack, and demonstrates several common configuration scenarios.
The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.
The supported way of configuring OKD Monitoring is by configuring it using the options described in this document. Do not use other configurations, as they are unsupported. Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in this section, your changes will disappear because the cluster-monitoring-operator
reconciles any differences. The Operator resets everything to the defined state by default and by design.
The following modifications are explicitly not supported:
Creating additional ServiceMonitor
, PodMonitor
, and PrometheusRule
objects in the openshift-*
and kube-*
projects.
Modifying any resources or objects deployed in the openshift-monitoring
or openshift-user-workload-monitoring
projects. The resources created by the OKD monitoring stack are not meant to be used by any other resources, as there are no guarantees about their backward compatibility.
The Alertmanager configuration is deployed as a secret resource in the |
Modifying resources of the stack. The OKD monitoring stack ensures its resources are always in the state it expects them to be. If they are modified, the stack will reset them.
Deploying user-defined workloads to openshift-*
, and kube-*
projects. These projects are reserved for Red Hat provided components and they should not be used for user-defined workloads.
Modifying the monitoring stack Grafana instance.
Installing custom Prometheus instances on OKD.
Enabling symptom based monitoring by using the Probe
custom resource definition (CRD) in Prometheus Operator.
Modifying Alertmanager configurations by using the AlertmanagerConfig
CRD in Prometheus Operator.
Backward compatibility for metrics, recording rules, or alerting rules is not guaranteed. |
Monitoring Operators ensure that OKD monitoring resources function as designed and tested. If Cluster Version Operator (CVO) control of an Operator is overridden, the Operator does not respond to configuration changes, reconcile the intended state of cluster objects, or receive updates.
While overriding CVO control for an Operator can be helpful during debugging, this is unsupported and the cluster administrator assumes full control of the individual component configurations and upgrades.
The spec.overrides
parameter can be added to the configuration for the CVO to allow administrators to provide a list of overrides to the behavior of the CVO for a component. Setting the spec.overrides[].unmanaged
parameter to true
for a component blocks cluster upgrades and alerts the administrator after a CVO override has been set:
Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.
Setting a CVO override puts the entire cluster in an unsupported state and prevents the monitoring stack from being reconciled to its intended state. This impacts the reliability features built into Operators and prevents updates from being received. Reported issues must be reproduced after removing any overrides for support to proceed. |
You can configure the monitoring stack by creating and updating monitoring config maps.
To configure core OKD monitoring components, you must create the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project.
When you save your changes to the |
You have access to the cluster as a user with the cluster-admin
role.
You have installed the OpenShift CLI (oc
).
Check whether the cluster-monitoring-config
ConfigMap
object exists:
$ oc -n openshift-monitoring get configmap cluster-monitoring-config
If the ConfigMap
object does not exist:
Create the following YAML manifest. In this example the file is called cluster-monitoring-config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
Apply the configuration to create the ConfigMap
object:
$ oc apply -f cluster-monitoring-config.yaml
To configure the components that monitor user-defined projects, you must create the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project.
When you save your changes to the |
You have access to the cluster as a user with the cluster-admin
role.
You have installed the OpenShift CLI (oc
).
Check whether the user-workload-monitoring-config
ConfigMap
object exists:
$ oc -n openshift-user-workload-monitoring get configmap user-workload-monitoring-config
If the user-workload-monitoring-config
ConfigMap
object does not exist:
Create the following YAML manifest. In this example the file is called user-workload-monitoring-config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
Apply the configuration to create the ConfigMap
object:
$ oc apply -f user-workload-monitoring-config.yaml
Configurations applied to the |
In OKD 4, you can configure the monitoring stack using the cluster-monitoring-config
or user-workload-monitoring-config
ConfigMap
objects. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object.
To configure core OKD monitoring components:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add your configuration under data/config.yaml
as a key-value pair <component_name>: <component_configuration>
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
<configuration_for_the_component>
Substitute <component>
and <configuration_for_the_component>
accordingly.
The following example ConfigMap
object configures a persistent volume claim (PVC) for Prometheus. This relates to the Prometheus instance that monitors core OKD components only:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s: (1)
volumeClaimTemplate:
spec:
storageClassName: fast
volumeMode: Filesystem
resources:
requests:
storage: 40Gi
1 | Defines the Prometheus component and the subsequent lines define its configuration. |
To configure components that monitor user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add your configuration under data/config.yaml
as a key-value pair <component_name>: <component_configuration>
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
<configuration_for_the_component>
Substitute <component>
and <configuration_for_the_component>
accordingly.
The following example ConfigMap
object configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus: (1)
retention: 24h (2)
resources:
requests:
cpu: 200m (3)
memory: 2Gi (4)
1 | Defines the Prometheus component and the subsequent lines define its configuration. |
2 | Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects. |
3 | Defines a minimum resource request of 200 millicores for the Prometheus container. |
4 | Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container. |
The Prometheus config map component is called |
Save the file to apply the changes to the ConfigMap
object. The pods affected by the new configuration are restarted automatically.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config
and user-workload-monitoring-config
ConfigMap
objects:
Component | cluster-monitoring-config config map key | user-workload-monitoring-config config map key |
---|---|---|
Prometheus Operator |
|
|
Prometheus |
|
|
Alertmanager |
|
|
kube-state-metrics |
|
|
openshift-state-metrics |
|
|
Grafana |
|
|
Telemeter Client |
|
|
Prometheus Adapter |
|
|
Thanos Querier |
|
|
Thanos Ruler |
|
The Prometheus key is called |
You can move any of the monitoring stack components to specific nodes.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object:
To move a component that monitors core OKD projects:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Specify the nodeSelector
constraint for the component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
nodeSelector:
<node_key>: <node_value>
<node_key>: <node_value>
<...>
Substitute <component>
accordingly and substitute <node_key>: <node_value>
with the map of key-value pairs that specifies a group of destination nodes. Often, only a single key-value pair is used.
The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.
Many of the monitoring components are deployed by using multiple pods across different nodes in the cluster to maintain high availability. When moving monitoring components to labeled nodes, ensure that enough matching nodes are available to maintain resilience for the component. If only one label is specified, ensure that enough nodes contain that label to distribute all of the pods for the component across separate nodes. Alternatively, you can specify multiple labels each relating to individual nodes. |
If monitoring components remain in a |
For example, to move monitoring components for core OKD projects to specific nodes that are labeled nodename: controlplane1
, nodename: worker1
, nodename: worker2
, and nodename: worker2
, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusOperator:
nodeSelector:
nodename: controlplane1
prometheusK8s:
nodeSelector:
nodename: worker1
nodename: worker2
alertmanagerMain:
nodeSelector:
nodename: worker1
nodename: worker2
kubeStateMetrics:
nodeSelector:
nodename: worker1
grafana:
nodeSelector:
nodename: worker1
telemeterClient:
nodeSelector:
nodename: worker1
k8sPrometheusAdapter:
nodeSelector:
nodename: worker1
nodename: worker2
openshiftStateMetrics:
nodeSelector:
nodename: worker1
thanosQuerier:
nodeSelector:
nodename: worker1
nodename: worker2
To move a component that monitors user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Specify the nodeSelector
constraint for the component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
nodeSelector:
<node_key>: <node_value>
<node_key>: <node_value>
<...>
Substitute <component>
accordingly and substitute <node_key>: <node_value>
with the map of key-value pairs that specifies the destination nodes. Often, only a single key-value pair is used.
The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.
Many of the monitoring components are deployed by using multiple pods across different nodes in the cluster to maintain high availability. When moving monitoring components to labeled nodes, ensure that enough matching nodes are available to maintain resilience for the component. If only one label is specified, ensure that enough nodes contain that label to distribute all of the pods for the component across separate nodes. Alternatively, you can specify multiple labels each relating to individual nodes. |
If monitoring components remain in a |
For example, to move monitoring components for user-defined projects to specific worker nodes labeled nodename: worker1
, nodename: worker2
, and nodename: worker2
, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheusOperator:
nodeSelector:
nodename: worker1
prometheus:
nodeSelector:
nodename: worker1
nodename: worker2
thanosRuler:
nodeSelector:
nodename: worker1
nodename: worker2
Save the file to apply the changes. The components affected by the new configuration are moved to the new nodes automatically.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See the Kubernetes documentation for details on the nodeSelector
constraint
You can assign tolerations to any of the monitoring stack components to enable moving them to tainted nodes.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object:
To assign tolerations to a component that monitors core OKD projects:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Specify tolerations
for the component:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
tolerations:
<toleration_specification>
Substitute <component>
and <toleration_specification>
accordingly.
For example, oc adm taint nodes node1 key1=value1:NoSchedule
adds a taint to node1
with the key key1
and the value value1
. This prevents monitoring components from deploying pods on node1
unless a toleration is configured for that taint. The following example configures the alertmanagerMain
component to tolerate the example taint:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"
To assign tolerations to a component that monitors user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Specify tolerations
for the component:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
tolerations:
<toleration_specification>
Substitute <component>
and <toleration_specification>
accordingly.
For example, oc adm taint nodes node1 key1=value1:NoSchedule
adds a taint to node1
with the key key1
and the value value1
. This prevents monitoring components from deploying pods on node1
unless a toleration is configured for that taint. The following example configures the thanosRuler
component to tolerate the example taint:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
tolerations:
- key: "key1"
operator: "Equal"
value: "value1"
effect: "NoSchedule"
Save the file to apply the changes. The new component placement configuration is applied automatically.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See the OKD documentation on taints and tolerations
See the Kubernetes documentation on taints and tolerations
Running cluster monitoring with persistent storage means that your metrics are stored to a persistent volume (PV) and can survive a pod being restarted or recreated. This is ideal if you require your metrics or alerting data to be guarded from data loss. For production environments, it is highly recommended to configure persistent storage. Because of the high IO demands, it is advantageous to use local storage.
Dedicate sufficient local persistent storage to ensure that the disk does not become full. How much storage you need depends on the number of pods.
Make sure you have a persistent volume (PV) ready to be claimed by the persistent volume claim (PVC), one PV for each replica. Because Prometheus has two replicas and Alertmanager has three replicas, you need five PVs to support the entire monitoring stack. The PVs should be available from the Local Storage Operator. This does not apply if you enable dynamically provisioned storage.
Use the block type of storage.
If you use a local volume for persistent storage, do not use a raw block volume, which is described with |
For monitoring components to use a persistent volume (PV), you must configure a persistent volume claim (PVC).
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object:
To configure a PVC for a component that monitors core OKD projects:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add your PVC configuration for the component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>:
volumeClaimTemplate:
spec:
storageClassName: <storage_class>
resources:
requests:
storage: <amount_of_storage>
See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate
.
The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors core OKD components:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 40Gi
In the above example, the storage class created by the Local Storage Operator is called local-storage
.
The following example configures a PVC that claims local persistent storage for Alertmanager:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 10Gi
To configure a PVC for a component that monitors user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add your PVC configuration for the component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
volumeClaimTemplate:
spec:
storageClassName: <storage_class>
resources:
requests:
storage: <amount_of_storage>
See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate
.
The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 40Gi
In the above example, the storage class created by the Local Storage Operator is called local-storage
.
The following example configures a PVC that claims local persistent storage for Thanos Ruler:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
volumeClaimTemplate:
spec:
storageClassName: local-storage
resources:
requests:
storage: 10Gi
Storage requirements for the |
Save the file to apply the changes. The pods affected by the new configuration are restarted automatically and the new storage configuration is applied.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
By default, Prometheus automatically retains metrics data for 15 days.
You can modify the retention time to change how soon data is deleted by specifying a time value in the retention
field.
You can also configure the maximum amount of disk space the retained metrics data uses by specifying a size value in the retentionSize
field.
If the data reaches this size limit, Prometheus deletes the oldest data first until the disk space used is again below the limit.
Note the following behaviors of these data retention settings:
The size-based retention policy applies to all data block directories in the /prometheus
directory, including persistent blocks, write-ahead log (WAL) data, and m-mapped chunks.
Data in the /wal
and /head_chunks
directories counts toward the retention size limit, but Prometheus never purges data from these directories based on size- or time-based retention policies.
Thus, if you set a retention size limit lower than the maximum size set for the /wal
and /head_chunks
directories, you have configured the system not to retain any data blocks in the /prometheus
data directories.
The size-based retention policy is applied only when Prometheus cuts a new data block, which occurs every two hours after the WAL contains at least three hours of data.
If you do not explicitly define values for either retention
or retentionSize
, retention time defaults to 15 days, and retention size is not set.
If you define values for both retention
and retentionSize
, both values apply.
If any data blocks exceed the defined retention time or the defined size limit, Prometheus purges these data blocks.
If you define a value for retentionSize
and do not define retention
, only the retentionSize
value applies.
If you do not define a value for retentionSize
and only define a value for retention
, only the retention
value applies.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
A cluster administrator has enabled monitoring for user-defined projects.
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Saving changes to a monitoring config map might restart monitoring processes and redeploy the pods and other resources in the related project. The running monitoring processes in that project might also restart. |
Edit the ConfigMap
object:
To modify the retention time and size for the Prometheus instance that monitors core OKD projects:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add the retention time and size configuration under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
retention: <time_specification> (1)
retentionSize: <size_specification> (2)
1 | The retention time: a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years). You can also combine time values for specific times, such as 1h30m15s . |
2 | The retention size: a number directly followed by B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), and EB (exabytes). |
The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors core OKD components:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
retention: 24h
retentionSize: 10GB
To modify the retention time and size for the Prometheus instance that monitors user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add the retention time and size configuration under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
retention: <time_specification> (1)
retentionSize: <size_specification> (2)
1 | The retention time: a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years).
You can also combine time values for specific times, such as 1h30m15s . |
2 | The retention size: a number directly followed by B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), or EB (exabytes). |
The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
retention: 24h
retentionSize: 10GB
Save the file to apply the changes. The pods affected by the new configuration restart automatically.
You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.
You have set up authentication credentials in a Secret
object for the remote write endpoint.
You must create the secret in the same namespace as the Prometheus object for which you configure remote write: the openshift-monitoring
namespace for default platform monitoring or the openshift-user-workload-monitoring
namespace for user workload monitoring.
To reduce security risks, use HTTPS and authentication to send metrics to an endpoint. |
Follow these steps to configure remote write for default platform monitoring in the cluster-monitoring-config
config map in the openshift-monitoring
namespace.
If you configure remote write for the Prometheus instance that monitors user-defined projects, make similar edits to the |
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add a remoteWrite:
section under data/config.yaml/prometheusK8s
.
Add an endpoint URL and authentication credentials in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write-endpoint.example.com" (1)
<endpoint_authentication_credentials> (2)
1 | The URL of the remote write endpoint. |
2 | The authentication method and credentials for the endpoint.
Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP an Authorization request header, basic authentication, OAuth 2.0, and TLS client.
See Supported remote write authentication settings below for sample configurations of supported authentication methods. |
Add write relabel configuration values after the authentication credentials:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write-endpoint.example.com"
<endpoint_authentication_credentials>
<write_relabel_configs> (1)
1 | The write relabel configuration settings. |
For <write_relabel_configs>
substitute a list of write relabel configurations for metrics that you want to send to the remote endpoint.
The following sample shows how to forward a single metric called my_metric
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write-endpoint.example.com"
writeRelabelConfigs:
- sourceLabels: [__name__]
regex: 'my_metric'
action: keep
See the Prometheus relabel_config documentation for information about write relabel configuration options.
Save the file to apply the changes to the ConfigMap
object.
The pods affected by the new configuration restart automatically.
Configurations applied to the |
Saving changes to a monitoring |
You can use different methods to authenticate with a remote write endpoint. Currently supported authentication methods are AWS Signature Version 4, basic authentication, authorization, OAuth 2.0, and TLS client. The following table provides details about supported authentication methods for use with remote write.
Authentication method | Config map field | Description |
---|---|---|
AWS Signature Version 4 |
|
This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or basic authentication. |
basic authentication |
|
Basic authentication sets the authorization header on every remote write request with the configured username and password. |
authorization |
|
Authorization sets the |
OAuth 2.0 |
|
An OAuth 2.0 configuration uses the client credentials grant type.
Prometheus fetches an access token from |
TLS client |
|
A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file. |
The following shows the location of the authentication configuration in the ConfigMap
object for default platform monitoring.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write-endpoint.example.com" (1)
<endpoint_authentication_details> (2)
1 | The URL of the remote write endpoint. |
2 | The required configuration details for the authentication method for the endpoint. Currently supported authentication methods are Amazon Web Services (AWS) Signature Version 4, authorization, basic authentication, OAuth 2.0, and TLS client. |
If you configure remote write for the Prometheus instance that monitors user-defined projects, edit the |
The following samples show different authentication settings you can use to connect to a remote write endpoint.
Each sample also shows how to configure a corresponding Secret
object that contains authentication credentials and other relevant settings.
Each sample configures authentication for use with default platform monitoring in the openshift-monitoring
namespace.
The following shows the settings for a sigv4
secret named sigv4-credentials
in the openshift-monitoring
namespace.
apiVersion: v1
kind: Secret
metadata:
name: sigv4-credentials
namespace: openshift-monitoring
stringData:
accessKey: <AWS_access_key> (1)
secretKey: <AWS_secret_key> (2)
type: Opaque
1 | The AWS API access key. |
2 | The AWS API secret key. |
The following shows sample AWS Signature Version 4 remote write authentication settings that use a Secret
object named sigv4-credentials
in the openshift-monitoring
namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://authorization.example.com/api/write"
sigv4:
region: <AWS_region> (1)
accessKey:
name: sigv4-credentials (2)
key: accessKey (3)
secretKey:
name: sigv4-credentials (2)
key: secretKey (4)
profile: <AWS_profile_name> (5)
roleArn: <AWS_role_arn> (6)
1 | The AWS region. |
2 | The name of the Secret object containing the AWS API access credentials. |
3 | The key that contains the AWS API access key in the specified Secret object. |
4 | The key that contains teh AWS API secret key in the specified Secret object. |
5 | The name of the AWS profile that is being used to authenticate. |
6 | The unique identifier for the Amazon Resource Name (ARN) assigned to your role. |
The following shows sample basic authentication settings for a Secret
object named rw-basic-auth
in the openshift-monitoring
namespace:
apiVersion: v1
kind: Secret
metadata:
name: rw-basic-auth
namespace: openshift-monitoring
stringData:
user: <basic_username> (1)
password: <basic_password> (2)
type: Opaque
1 | The username. |
2 | The password. |
The following sample shows a basicAuth
remote write configuration that uses a Secret
object named rw-basic-auth
in the openshift-monitoring
namespace.
It assumes that you have already set up authentication credentials for the endpoint.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://basicauth.example.com/api/write"
basicAuth:
username:
name: rw-basic-auth (1)
key: user (2)
password:
name: rw-basic-auth (1)
key: password (3)
1 | The name of the Secret object that contains the authentication credentials. |
2 | The key that contains the username in the specified Secret object. |
3 | The key that contains the password in the specified Secret object. |
Secret
ObjectThe following shows bearer token settings for a Secret
object named rw-bearer-auth
in the openshift-monitoring
namespace:
apiVersion: v1
kind: Secret
metadata:
name: rw-bearer-auth
namespace: openshift-monitoring
stringData:
token: <authentication_token> (1)
type: Opaque
1 | The authentication token. |
The following shows sample bearer token config map settings that use a Secret
object named rw-bearer-auth
in the openshift-monitoring
namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
enableUserWorkload: true
prometheusK8s:
remoteWrite:
- url: "https://authorization.example.com/api/write"
authorization:
type: Bearer (1)
credentials:
name: rw-bearer-auth (2)
key: token (3)
1 | The authentication type of the request. The default value is Bearer . |
2 | The name of the Secret object that contains the authentication credentials. |
3 | The key that contains the authentication token in the specified Secret object. |
The following shows sample OAuth 2.0 settings for a Secret
object named oauth2-credentials
in the openshift-monitoring
namespace:
apiVersion: v1
kind: Secret
metadata:
name: oauth2-credentials
namespace: openshift-monitoring
stringData:
id: <oauth2_id> (1)
secret: <oauth2_secret> (2)
token: <oauth2_authentication_token> (3)
type: Opaque
1 | The Oauth 2.0 ID. |
2 | The OAuth 2.0 secret. |
3 | The OAuth 2.0 token. |
The following shows an oauth2
remote write authentication sample configuration that uses a Secret
object named oauth2-credentials
in the openshift-monitoring
namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://test.example.com/api/write"
oauth2:
clientId:
secret:
name: oauth2-credentials (1)
key: id (2)
clientSecret:
name: oauth2-credentials (1)
key: secret (2)
tokenUrl: https://example.com/oauth2/token (3)
scopes: (4)
- <scope_1>
- <scope_2>
endpointParams: (5)
param1: <parameter_1>
param2: <parameter_2>
1 | The name of the corresponding Secret object. Note that ClientId can alternatively refer to a ConfigMap object, although clientSecret must refer to a Secret object. |
2 | The key that contains the OAuth 2.0 credentials in the specified Secret object. |
3 | The URL used to fetch a token with the specified clientId and clientSecret . |
4 | The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access. |
5 | The OAuth 2.0 authorization request parameters required for the authorization server. |
The following shows sample TLS client settings for a tls
Secret
object named mtls-bundle
in the openshift-monitoring
namespace.
apiVersion: v1
kind: Secret
metadata:
name: mtls-bundle
namespace: openshift-monitoring
data:
ca.crt: <ca_cert> (1)
client.crt: <client_cert> (2)
client.key: <client_key> (3)
type: tls
1 | The CA certificate in the Prometheus container with which to validate the server certificate. |
2 | The client certificate for authentication with the server. |
3 | The client key. |
The following sample shows a tlsConfig
remote write authentication configuration that uses a TLS Secret
object named mtls-bundle
.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
remoteWrite:
- url: "https://remote-write-endpoint.example.com"
tlsConfig:
ca:
secret:
name: mtls-bundle (1)
key: ca.crt (2)
cert:
secret:
name: mtls-bundle (1)
key: client.crt (3)
keySecret:
name: mtls-bundle (1)
key: client.key (4)
1 | The name of the corresponding Secret object that contains the TLS authentication credentials. Note that ca and cert can alternatively refer to a ConfigMap object, though keySecret must refer to a Secret object. |
2 | The key in the specified Secret object that contains the CA certificate for the endpoint. |
3 | The key in the specified Secret object that contains the client certificate for the endpoint. |
4 | The key in the specified Secret object that contains the client key secret. |
See Setting up remote write compatible endpoints for steps to create a remote write compatible endpoint (such as Thanos).
See Tuning remote write settings for information about how to optimize remote write settings for different use cases.
See Understanding secrets for steps to create and configure Secret
objects in OKD.
See the Prometheus REST API reference for remote write for information about additional optional fields.
Developers can create labels to define attributes for metrics in the form of key-value pairs. The number of potential key-value pairs corresponds to the number of possible values for an attribute. An attribute that has an unlimited number of potential values is called an unbound attribute. For example, a customer_id
attribute is unbound because it has an infinite number of possible values.
Every assigned key-value pair has a unique time series. The use of many unbound attributes in labels can result in an exponential increase in the number of time series created. This can impact Prometheus performance and can consume a lot of disk space.
Cluster administrators can use the following measures to control the impact of unbound metrics attributes in user-defined projects:
Limit the number of samples that can be accepted per target scrape in user-defined projects
Create alerts that fire when a scrape sample threshold is reached or when the target cannot be scraped
Limiting scrape samples can help prevent the issues caused by adding many unbound attributes to labels. Developers can also prevent the underlying cause by limiting the number of unbound attributes that they define for metrics. Using attributes that are bound to a limited set of possible values reduces the number of potential key-value pair combinations. |
You can limit the number of samples that can be accepted per target scrape in user-defined projects.
If you set a sample limit, no further sample data is ingested for that target scrape after the limit is reached. |
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add the enforcedSampleLimit
configuration to data/config.yaml
to limit the number of samples that can be accepted per target scrape in user-defined projects:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
enforcedSampleLimit: 50000 (1)
1 | A value is required if this parameter is specified. This enforcedSampleLimit example limits the number of samples that can be accepted per target scrape in user-defined projects to 50,000. |
Save the file to apply the changes. The limit is applied automatically.
Configurations applied to the |
When changes are saved to the |
You can create alerts that notify you when:
The target cannot be scraped or is not available for the specified for
duration
A scrape sample threshold is reached or is exceeded for the specified for
duration
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have enabled monitoring for user-defined projects.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have limited the number of samples that can be accepted per target scrape in user-defined projects, by using enforcedSampleLimit
.
You have installed the OpenShift CLI (oc
).
Create a YAML file with alerts that inform you when the targets are down and when the enforced sample limit is approaching. The file in this example is called monitoring-stack-alerts.yaml
:
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
prometheus: k8s
role: alert-rules
name: monitoring-stack-alerts (1)
namespace: ns1 (2)
spec:
groups:
- name: general.rules
rules:
- alert: TargetDown (3)
annotations:
message: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service
}} targets in {{ $labels.namespace }} namespace are down.' (4)
expr: 100 * (count(up == 0) BY (job, namespace, service) / count(up) BY (job,
namespace, service)) > 10
for: 10m (5)
labels:
severity: warning (6)
- alert: ApproachingEnforcedSamplesLimit (7)
annotations:
message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' (8)
expr: scrape_samples_scraped/50000 > 0.8 (9)
for: 10m (10)
labels:
severity: warning (11)
1 | Defines the name of the alerting rule. |
2 | Specifies the user-defined project where the alerting rule will be deployed. |
3 | The TargetDown alert will fire if the target cannot be scraped or is not available for the for duration. |
4 | The message that will be output when the TargetDown alert fires. |
5 | The conditions for the TargetDown alert must be true for this duration before the alert is fired. |
6 | Defines the severity for the TargetDown alert. |
7 | The ApproachingEnforcedSamplesLimit alert will fire when the defined scrape sample threshold is reached or exceeded for the specified for duration. |
8 | The message that will be output when the ApproachingEnforcedSamplesLimit alert fires. |
9 | The threshold for the ApproachingEnforcedSamplesLimit alert. In this example the alert will fire when the number of samples per target scrape has exceeded 80% of the enforced sample limit of 50000 . The for duration must also have passed before the alert will fire. The <number> in the expression scrape_samples_scraped/<number> > <threshold> must match the enforcedSampleLimit value defined in the user-workload-monitoring-config ConfigMap object. |
10 | The conditions for the ApproachingEnforcedSamplesLimit alert must be true for this duration before the alert is fired. |
11 | Defines the severity for the ApproachingEnforcedSamplesLimit alert. |
Apply the configuration to the user-defined project:
$ oc apply -f monitoring-stack-alerts.yaml
See Determining why Prometheus is consuming a lot of disk space for steps to query which metrics have the highest number of scrape samples.
The OKD monitoring stack includes a local Alertmanager instance that routes alerts from Prometheus.
You can add external Alertmanager instances by configuring the cluster-monitoring-config
config map in either the openshift-monitoring
project or the user-workload-monitoring-config
project.
If you add the same external Alertmanager configuration for multiple clusters and disable the local instance for each cluster, you can then manage alert routing for multiple clusters by using a single external Alertmanager instance.
You have installed the OpenShift CLI (oc
).
If you are configuring core OKD monitoring components in the openshift-monitoring
project:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
config map.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
config map.
Edit the ConfigMap
object.
To configure additional Alertmanagers for routing alerts from core OKD projects:
Edit the cluster-monitoring-config
config map in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add an additionalAlertmanagerConfigs:
section under data/config.yaml/prometheusK8s
.
Add the configuration details for additional Alertmanagers in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
additionalAlertmanagerConfigs:
- <alertmanager_specification>
For <alertmanager_specification>
, substitute authentication and other configuration details for additional Alertmanager instances.
Currently supported authentication methods are bearer token (bearerToken
) and client TLS (tlsConfig
).
The following sample config map configures an additional Alertmanager using a bearer token with client TLS authentication:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
additionalAlertmanagerConfigs:
- scheme: https
pathPrefix: /
timeout: "30s"
apiVersion: v1
bearerToken:
name: alertmanager-bearer-token
key: token
tlsConfig:
key:
name: alertmanager-tls
key: tls.key
cert:
name: alertmanager-tls
key: tls.crt
ca:
name: alertmanager-tls
key: tls.ca
staticConfigs:
- external-alertmanager1-remote.com
- external-alertmanager1-remote2.com
To configure additional Alertmanager instances for routing alerts from user-defined projects:
Edit the user-workload-monitoring-config
config map in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add a <component>/additionalAlertmanagerConfigs:
section under data/config.yaml/
.
Add the configuration details for additional Alertmanagers in this section:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>:
additionalAlertmanagerConfigs:
- <alertmanager_specification>
For <component>
, substitute one of two supported external Alertmanager components: prometheus
or thanosRuler
.
For <alertmanager_specification>
, substitute authentication and other configuration details for additional Alertmanager instances.
Currently supported authentication methods are bearer token (bearerToken
) and client TLS (tlsConfig
).
The following sample config map configures an additional Alertmanager using Thanos Ruler with a bearer token and client TLS authentication:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
thanosRuler:
additionalAlertmanagerConfigs:
- scheme: https
pathPrefix: /
timeout: "30s"
apiVersion: v1
bearerToken:
name: alertmanager-bearer-token
key: token
tlsConfig:
key:
name: alertmanager-tls
key: tls.key
cert:
name: alertmanager-tls
key: tls.crt
ca:
name: alertmanager-tls
key: tls.ca
staticConfigs:
- external-alertmanager1-remote.com
- external-alertmanager1-remote2.com
Configurations applied to the |
Save the file to apply the changes to the ConfigMap
object.
The new component placement configuration is applied automatically.
Using the external labels feature of Prometheus, you can attach custom labels to all time series and alerts leaving Prometheus.
If you are configuring core OKD monitoring components:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are configuring components that monitor user-defined projects:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object:
To attach custom labels to all time series and alerts leaving the Prometheus instance that monitors core OKD projects:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Define a map of labels you want to add for every metric under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
externalLabels:
<key>: <value> (1)
1 | Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value. |
Do not use |
For example, to add metadata about the region and environment to all time series and alerts, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
externalLabels:
region: eu
environment: prod
To attach custom labels to all time series and alerts leaving the Prometheus instance that monitors user-defined projects:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Define a map of labels you want to add for every metric under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
externalLabels:
<key>: <value> (1)
1 | Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value. |
Do not use |
In the |
For example, to add metadata about the region and environment to all time series and alerts related to user-defined projects, use:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
externalLabels:
region: eu
environment: prod
Save the file to apply the changes. The new configuration is applied automatically.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps.
You can configure the log level for Alertmanager, Prometheus Operator, Prometheus, Thanos Querier, and Thanos Ruler.
The following log levels can be applied to the relevant component in the cluster-monitoring-config
and user-workload-monitoring-config
ConfigMap
objects:
debug
. Log debug, informational, warning, and error messages.
info
. Log informational, warning, and error messages.
warn
. Log warning and error messages only.
error
. Log error messages only.
The default log level is info
.
If you are setting a log level for Alertmanager, Prometheus Operator, Prometheus, or Thanos Querier in the openshift-monitoring
project:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are setting a log level for Prometheus Operator, Prometheus, or Thanos Ruler in the openshift-user-workload-monitoring
project:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the ConfigMap
object:
To set a log level for a component in the openshift-monitoring
project:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add logLevel: <log_level>
for a component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
<component>: (1)
logLevel: <log_level> (2)
1 | The monitoring component that you are applying a log level to. |
2 | The log level to apply to the component. |
To set a log level for a component in the openshift-user-workload-monitoring
project:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add logLevel: <log_level>
for a component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
<component>: (1)
logLevel: <log_level> (2)
1 | The monitoring component that you are applying a log level to. |
2 | The log level to apply to the component. |
Save the file to apply the changes. The pods for the component restarts automatically when you apply the log-level change.
Configurations applied to the |
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
Confirm that the log-level has been applied by reviewing the deployment or pod configuration in the related project. The following example checks the log level in the prometheus-operator
deployment in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring get deploy prometheus-operator -o yaml | grep "log-level"
- --log-level=debug
Check that the pods for the component are running. The following example lists the status of pods in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring get pods
If an unrecognized |
You can configure Prometheus to write all queries that have been run by the engine to a log file. You can do so for default platform monitoring and for user-defined workload monitoring.
Because log rotation is not supported, only enable this feature temporarily when you need to troubleshoot an issue. After you finish troubleshooting, disable query logging by reverting the changes you made to the |
You have installed the OpenShift CLI (oc
).
If you are enabling the query log file feature for Prometheus in the openshift-monitoring
project:
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
If you are enabling the query log file feature for Prometheus in the openshift-user-workload-monitoring
project:
You have access to the cluster as a user with the cluster-admin
role, or as a user with the user-workload-monitoring-config-edit
role in the openshift-user-workload-monitoring
project.
You have created the user-workload-monitoring-config
ConfigMap
object.
To set the query log file for Prometheus in the openshift-monitoring
project:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add queryLogFile: <path>
for prometheusK8s
under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
prometheusK8s:
queryLogFile: <path> (1)
1 | The full path to the file in which queries will be logged. |
Save the file to apply the changes.
When you save changes to a monitoring config map, pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
Verify that the pods for the component are running. The following sample command lists the status of pods in the openshift-monitoring
project:
$ oc -n openshift-monitoring get pods
Read the query log:
$ oc -n openshift-monitoring exec prometheus-k8s-0 -- cat <path>
Revert the setting in the config map after you have examined the logged query information. |
To set the query log file for Prometheus in the openshift-user-workload-monitoring
project:
Edit the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add queryLogFile: <path>
for prometheus
under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
queryLogFile: <path> (1)
1 | The full path to the file in which queries will be logged. |
Save the file to apply the changes.
Configurations applied to the |
When you save changes to a monitoring config map, pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
Verify that the pods for the component are running. The following example command lists the status of pods in the openshift-user-workload-monitoring
project:
$ oc -n openshift-user-workload-monitoring get pods
Read the query log:
$ oc -n openshift-user-workload-monitoring exec prometheus-user-workload-0 -- cat <path>
Revert the setting in the config map after you have examined the logged query information. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps
See Enabling monitoring for user-defined projects for steps to enable user-defined monitoring.
For default platform monitoring in the openshift-monitoring
project, you can enable the Cluster Monitoring Operator to log all queries run by Thanos Querier.
Because log rotation is not supported, only enable this feature temporarily when you need to troubleshoot an issue. After you finish troubleshooting, disable query logging by reverting the changes you made to the |
You have installed the OpenShift CLI (oc
).
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
You can enable query logging for Thanos Querier in the openshift-monitoring
project:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add a thanosQuerier
section under data/config.yaml
and add values as shown in the following example:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
thanosQuerier:
enableRequestLogging: <value> (1)
logLevel: <value> (2)
1 | Set the value to true to enable logging and false to disable logging. The default value is false . |
2 | Set the value to debug , info , warn , or error . If no value exists for logLevel , the log level defaults to error . |
Save the file to apply the changes.
When you save changes to a monitoring config map, pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
Verify that the Thanos Querier pods are running. The following sample command lists the status of pods in the openshift-monitoring
project:
$ oc -n openshift-monitoring get pods
Run a test query using the following sample commands as a model:
$ token=`oc sa get-token prometheus-k8s -n openshift-monitoring`
$ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://thanos-querier.openshift-monitoring.svc:9091/api/v1/query?query=cluster_version'
Run the following command to read the query log:
$ oc -n openshift-monitoring logs <thanos_querier_pod_name> -c thanos-query
Because the |
After you examine the logged query information, disable query logging by changing the enableRequestLogging
value to false
in the config map.
See Preparing to configure the monitoring stack for steps to create monitoring config maps.
In default platform monitoring, you can configure the audit log level for the Prometheus Adapter.
You have installed the OpenShift CLI (oc
).
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
You can set an audit log level for the Prometheus Adapter in the default openshift-monitoring
project:
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add profile:
in the k8sPrometheusAdapter/audit
section under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
k8sPrometheusAdapter:
audit:
profile: <audit_log_level> (1)
1 | The audit log level to apply to the Prometheus Adapter. |
Set the audit log level by using one of the following values for the profile:
parameter:
None
: Do not log events.
Metadata
: Log only the metadata for the request, such as user, timestamp, and so forth. Do not log the request text and the response text. Metadata
is the default audit log level.
Request
: Log only the metadata and the request text but not the response text. This option does not apply for non-resource requests.
RequestResponse
: Log event metadata, request text, and response text. This option does not apply for non-resource requests.
Save the file to apply the changes. The pods for the Prometheus Adapter restart automatically when you apply the change.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted. |
In the config map, under k8sPrometheusAdapter/audit/profile
, set the log level to Request
and save the file.
Confirm that the pods for the Prometheus Adapter are running. The following example lists the status of pods in the openshift-monitoring
project:
$ oc -n openshift-monitoring get pods
Confirm that the audit log level and audit log file path are correctly configured:
$ oc -n openshift-monitoring get deploy prometheus-adapter -o yaml
...
- --audit-policy-file=/etc/audit/request-profile.yaml
- --audit-log-path=/var/log/adapter/audit.log
Confirm that the correct log level has been applied in the prometheus-adapter
deployment in the openshift-monitoring
project:
$ oc -n openshift-monitoring exec deploy/prometheus-adapter -c prometheus-adapter -- cat /etc/audit/request-profile.yaml
"apiVersion": "audit.k8s.io/v1"
"kind": "Policy"
"metadata":
"name": "Request"
"omitStages":
- "RequestReceived"
"rules":
- "level": "Request"
If you enter an unrecognized |
Review the audit log for the Prometheus Adapter:
$ oc -n openshift-monitoring exec -c <prometheus_adapter_pod_name> -- cat /var/log/adapter/audit.log
See Preparing to configure the monitoring stack for steps to create monitoring config maps.
By default, a read-only Grafana instance is deployed with a collection of dashboards displaying cluster metrics. The Grafana instance is not user-configurable.
You can disable the Grafana deployment, causing the associated resources to be deleted from the cluster. You might do this if you do not need these dashboards and want to conserve resources in your cluster. You will still be able to view metrics and dashboards included in the web console. Grafana can be safely enabled again at any time.
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
ConfigMap
object.
You have installed the OpenShift CLI (oc
).
Edit the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add enabled: false
for the grafana
component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
grafana:
enabled: false
Save the file to apply the changes. The resources will begin to be removed automatically when you apply the change.
This change results in some components, including Prometheus and the Thanos Querier, being restarted. This might lead to previously collected metrics being lost if you have not yet followed the steps in the "Configuring persistent storage" section. |
Check that the Grafana pod is no longer running. The following example lists the status of pods in the openshift-monitoring
project:
$ oc -n openshift-monitoring get pods
It may take a few minutes after applying the change for these pods to terminate. |
See Preparing to configure the monitoring stack for steps to create monitoring config maps.
A local Alertmanager that routes alerts from Prometheus instances is enabled by default in the openshift-monitoring
project of the OKD monitoring stack.
If you do not need the local Alertmanager, you can disable it by configuring the cluster-monitoring-config
config map in the openshift-monitoring
project.
You have access to the cluster as a user with the cluster-admin
role.
You have created the cluster-monitoring-config
config map.
You have installed the OpenShift CLI (oc
).
Edit the cluster-monitoring-config
config map in the openshift-monitoring
project:
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add enabled: false
for the alertmanagerMain
component under data/config.yaml
:
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
alertmanagerMain:
enabled: false
Save the file to apply the changes. The Alertmanager instance is disabled automatically when you apply the change.
Learn about remote health reporting and, if necessary, opt out of it.